Educause Security Discussion
mailing list archives
Re: Pre Production System Accreditation
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 5 Sep 2007 14:42:48 -0400
On Wed, 05 Sep 2007 12:35:14 CDT, Dan Johnson said:
Instead of adding more to the long message that this has become... the axiom
provided is completely true. As security professionals, we all need to
strive for the perfection of secure systems.
Erm. No. We don't want a perfectly secure system. We want an *appropriately*
secure system. At some point, the costs of better security outweigh the benefits.
And the sysadmins actually realize it at a gut level, even if they can't spell
it out - that's why they tend to say "here comes the security geek with a bunch
of silly rules and dumb restrictions". Because quite often, they *know* that
some of the requirements don't make much difference in *real* security.
Of course, deciding what a "sufficiently high" level of security should be
for a given system is a whole *different* can of worms.. ;)
- Re: Pre Production System Accreditation, (continued)